new-stock-analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill’s stock-analysis purpose is coherent, but it also installs dependencies and a persistent cron job with under-scoped host changes that users should review first.

Review the setup script before running it. Install dependencies in a virtual environment, pin or lock package versions, and only enable the cron job if you want the skill to keep running daily. After testing, check your crontab and remove the entry if you no longer need scheduled stock reports. Treat the investment analysis and validation output as informational, not verified financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence

Findings (26)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises significant capabilities—network access, environment use, and filesystem read/write—without declaring corresponding permissions or clearly constraining them. This undermines least-privilege review and can cause operators to approve a skill without understanding that it can persist data, inspect local context, or make outbound requests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose focuses on IPO analysis and notifications, but the described behavior extends into cron installation, system checks, package/setup actions, local file generation, and operational metadata handling. That mismatch is dangerous because users may authorize what appears to be a data-analysis skill while it also modifies host persistence and writes artifacts, increasing the chance of stealthy or unintended system impact.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The report states that market classification, subscription date, and issue price are 'completely consistent', but the comparison logic only intersects stock codes and never validates those fields. In a stock-analysis skill, this can mislead users into trusting data quality claims and making financial decisions based on unverified or stale information.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script automatically runs pip3 install at runtime, which expands the skill's capabilities and modifies the host environment without explicit user approval. This is risky because it performs network-based package installation and executes package-install logic on the host, creating supply-chain exposure and undermining reproducibility; in an agent skill, that makes the script more dangerous than a normal local utility.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script automatically runs `pip3 install -r requirements.txt` when imports fail, which changes the host environment without prior approval. In an agent skill context, dependency installation can execute arbitrary package install hooks or pull unpinned/compromised packages, making this behavior riskier than ordinary analysis or notification logic.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The setup script performs host-level package installation using sudo, which changes the system outside the narrowly expected scope of a stock-analysis helper. Even if intended for convenience, automatic system modification expands blast radius and can surprise users in environments where skills are expected to stay within their own directory or virtual environment.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script installs a persistent daily cron job that continuously executes code in the background, creating persistence on the host. Persistence is security-sensitive because any compromise of the project files later turns into repeated automatic execution, and this behavior is broader than a one-shot analysis tool.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Installing dependencies via pip with no confirmation is unsafe because it performs network and package-management actions implicitly during normal script execution. In a skill expected to analyze stocks and send notifications, this unexpected side effect increases supply-chain and environment-integrity risk, especially if `requirements.txt` is modified or contains unpinned packages.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script invokes sudo for package installation without an upfront high-visibility warning that it will request elevated privileges and alter the system package state. Users may consent to running the setup for app configuration but not realize it performs privileged host changes, increasing the risk of unsafe execution.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script downloads and installs Python packages from the network without prominently warning the user that external code will be fetched and executed during installation. While common in setup flows, this still carries supply-chain risk and should be disclosed clearly.

Session Persistence

Medium

Category: Rogue Agent
Content: bash scripts/setup_cron.sh # 或手动设置cron（默认10:00） crontab -e # 添加以下行： 0 10 * * * cd /path/to/new-stock-analyzer && bash scripts/openclaw_daily.sh ```
Confidence: 91% confidence
Finding: crontab -e

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 新股分析工具依赖 # 核心依赖 requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0 pandas>=1.5.0
Confidence: 94% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 核心依赖 requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0 pandas>=1.5.0 pyyaml>=6.0
Confidence: 94% confidence
Finding: beautifulsoup4>=4.11.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 核心依赖 requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0 pandas>=1.5.0 pyyaml>=6.0 python-dotenv>=0.21.0
Confidence: 96% confidence
Finding: lxml>=4.9.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0 pandas>=1.5.0 pyyaml>=6.0 python-dotenv>=0.21.0
Confidence: 89% confidence
Finding: pandas>=1.5.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: beautifulsoup4>=4.11.0 lxml>=4.9.0 pandas>=1.5.0 pyyaml>=6.0 python-dotenv>=0.21.0 # 开发依赖（可选）
Confidence: 97% confidence
Finding: pyyaml>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: lxml>=4.9.0 pandas>=1.5.0 pyyaml>=6.0 python-dotenv>=0.21.0 # 开发依赖（可选） pytest>=7.0.0
Confidence: 90% confidence
Finding: python-dotenv>=0.21.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=0.21.0 # 开发依赖（可选） pytest>=7.0.0 black>=22.0.0 flake8>=5.0.0
Confidence: 82% confidence
Finding: pytest>=7.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 开发依赖（可选） pytest>=7.0.0 black>=22.0.0 flake8>=5.0.0
Confidence: 82% confidence
Finding: black>=22.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 开发依赖（可选） pytest>=7.0.0 black>=22.0.0 flake8>=5.0.0
Confidence: 82% confidence
Finding: flake8>=5.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 91% confidence
Finding: requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High

Category: Supply Chain
Confidence: 95% confidence
Finding: lxml

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 97% confidence
Finding: pyyaml

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 77% confidence
Finding: python-dotenv

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low

Category: Supply Chain
Confidence: 72% confidence
Finding: pytest

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal